News briefs: The latest on JPMorgan Chase, the Mozart malware and more

» In a SEC filing in early October, JPMorgan Chase revealed the extent of a breach believed to have been perpetrated by Russian state-sponsored attackers. The financial institution said that the cyberattack exposed customer contact information linked to 76 million households and seven million small businesses. The company reassured customers that account information did not appear to be compromised.

» Akamai security researcher Stephane Chazelas discovered a major bug which is posited to have existed for many years and that trumps even the notorious Heartbleed bug in its seriousness. The Bash bug (CVE-2014-6271), also referred to as ShellShock, exists in the Unix Bourne Again Shell (BASH) that makes it possible for attackers to exploit Linux and Apple OS X systems. The prevalence of Bash shells in everything from servers to web-connected Internet of Things (IoT) devices incited heightened concern about the bug’s impact. Patches for the vulnerability were issued soon after it was disclosed in late September.

» A Department of Homeland Security report said that new malware, called “Mozart,” was behind the security breach at Home Depot, revealed earlier this year. According to a story in The Wall Street Journal, Mozart was tailored to attack the home improvement retailer’s systems. The report said that the word Mozart appeared in the software’s code and may have referenced the hacker’s system.

» Over the course of almost a year, Chinese hackers targeted and successfully infiltrated government contractors’ systems to steal sensitive information and, in one case, access systems onboard an American commercial ship .The U.S. Senate Armed Services Committee spearheaded the release of the “Inquiry into Cyber Intrusions Affecting U.S. Transportation Command Contractors” report to determine whether the U.S. Transportation Command (TRANSCOM) was alerted of the breaches in its contractors’ systems, resulting in 50 successful intrusions. In nearly all cases, TRANSCOM had no idea of the intrusions.

» Researchers are warning Android users of a major vulnerability (CVE-2014-6041) that impacts a vital browser security mechanism called Same-Origin Policy (SOP). The bug – called a “privacy disaster” by Tod Beardsley, engineering manager at Rapid7 – was patched by Google, but it could still take months for many users to get the update through their device manufacturers or service providers, he said. The flaw could allow a saboteur to circumvent the Android Open Source Platform (AOSP) browser’s SOP, and use an arbitrary website they control to “peek into the contents of any other webpage,” Beardsley wrote at the time. The concern impacts approximately 75 percent of Android users who run platforms older than version 4.4.

» Researchers at Gartner predict that 75 percent of mobile applications will fail basic security tests through the end of 2015, leaving businesses vulnerable to attack and violations of their security policies. Gartner’s findings also revealed that enterprises are increasingly embracing bring-your-own-device (BYOD). The report noted that apps that employees download from app stores, as well as the mobile apps that can “access enterprise assets or perform business functions,” don’t come with security assurance, Gartner found.